Find filename existed on servers

Hey everyone,
I want to find a file named "baocao.docx" on 100 server 
to see if any file with that name exists on servers and location of this file. How could I do that?

I have tried "File.01.3 - Files on disk (path-filename)" in live discovery feature but sophos technical support say that "the "File.01.3 - Files on disk (path-filename)" search will only look for the file within immediate files and will not search within subfolders."

Parents
  • Maybe you can find it in the sophos_file_journal table:

    https://docs.sophos.com/central/References/schemas/index.html?schema=endpoint_schema

    You will want to use the 

    where file = 'baocao.docx'

    by default the time only goes back 15 mins unless you use the "time" column to specifiy. 

    Note: If the window of time is too large it could hit a CPU limit.


    You can use Epoch Converter - Unix Timestamp Converter to get a starting point, e.g. time > 1735257600

    FileOtherChanges or FileOtherReads would be the subject for:

    SELECT * FROM sophos_file_journal where file like '%.txt' and time > 1735257600

  • Another option that might work, depending what's in the file is the yara table.

    For example, if I want to find all PE files, identified by the MZ magic bytes at the start of a file in a directory and sub-directories I could use an inline YARA rule in the query:

    SELECT
    path,
    matches,
    sigrule
    FROM yara
    WHERE path like 'C:\Program Files\Sophos\%%'
    AND sigrule = 'rule inline_detect_pe_mz {
    strings:
    $mz_marker = { 4D 5A }
    condition:
    $mz_marker
    }';

    For example, the results might then be as follows, note the matches column is only for the files that are PE files.

  • I suppose:

    SELECT * FROM file WHERE (path like "C:\%%\baocao.docx" or path like "C:\%%\%%\baocao.docx" or path like "C:\%%\%%\%%\baocao.docx")

    Would search the file system for the file in the top 3 directories without reading the file but for the future if you wanted to perform analysis on the file, the yara table could offer more, for example:

    SELECT
    path, matches
    FROM yara
    WHERE (path like "C:\%%\baocao.docx" or path like "C:\%%\%%\baocao.docx" or path like "C:\%%\%%\%%\baocao.docx")
    AND sigrule = 'rule inline_detect_pk {
    strings:
    $pk_marker = { 50 4B }
    condition:
    $pk_marker
    }' and count = 1

    This would find all files with that name in the first 3 top level directories and also give you the ability to match on other file data.


Reply
  • I suppose:

    SELECT * FROM file WHERE (path like "C:\%%\baocao.docx" or path like "C:\%%\%%\baocao.docx" or path like "C:\%%\%%\%%\baocao.docx")

    Would search the file system for the file in the top 3 directories without reading the file but for the future if you wanted to perform analysis on the file, the yara table could offer more, for example:

    SELECT
    path, matches
    FROM yara
    WHERE (path like "C:\%%\baocao.docx" or path like "C:\%%\%%\baocao.docx" or path like "C:\%%\%%\%%\baocao.docx")
    AND sigrule = 'rule inline_detect_pk {
    strings:
    $pk_marker = { 50 4B }
    condition:
    $pk_marker
    }' and count = 1

    This would find all files with that name in the first 3 top level directories and also give you the ability to match on other file data.


Children
No Data